After successful exploitation of the newly discovered vulnerability, CVE-2013-1493, “svchost.jpg” (b6c8ede9e2153f2a1e650dfa05b59b99) file is loaded from the same server hosting the Java 0day. Then McRAT (aka Trojan.Naid) malware (4d519bf53a8217adc4c15d15f0815993) is dropped. Regarding the detection ratio of this malware (21/46), it seem that the Java 0day could be used in Exploit Pack.

Symantec has report some connections through the new Oracle Java 0day with the Bit9 security incident. In the actual Java 0day security incident case, “appmgmt.dll” file, dropped by “svchost.jpg“, is detected by Symantec as Trojan.Naid. Trojan.Naid sample is connecting 110.173.55.187 C&C server. In the Bit9 security incident case, Trojan.Naid was also present and also connecting to 110.173.55.187 C&C server. Symantec detect this Java 0day as “Trojan.Maljava.B” and regarding associated threat assessment, less than 49 computers were infected and less than 2 websites were used in the watering hole attack.

Some security researchers are actually studying the sample, it is question of days before this 0day will be widely exploited.